{
  "catalog": {
    "uuid": "acedc0fc-2dae-5e26-85fb-6e66c2564bec",
    "metadata": {
      "title": "CVD Portal — CRA Vulnerability Handling Control Catalog",
      "last-modified": "2026-07-07T00:00:00Z",
      "version": "2026-07-07",
      "oscal-version": "1.1.2",
      "props": [
        {
          "name": "marking",
          "value": "TLP:CLEAR"
        }
      ],
      "remarks": "Machine-readable rendering of the CVD Portal vulnerability-handling control set, aligned to EN 40000-1-3 clauses (a draft harmonised standard not yet cited in the Official Journal of the EU). Provided as-is. Following it does not by itself confer presumption of conformity with Regulation (EU) 2024/2847."
    },
    "groups": [
      {
        "id": "applicability",
        "class": "cra-phase",
        "title": "Applicability",
        "controls": [
          {
            "id": "app-1",
            "title": "Requirement Enhancement Applicability",
            "props": [
              {
                "name": "label",
                "value": "APP-1"
              },
              {
                "name": "phase",
                "value": "applicability",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_statement_of_applicability",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "app-1_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "app-1-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "APP-1-RQ-01"
                      }
                    ],
                    "prose": "The applicability of the requirement enhancements shall be determined based on the product risks."
                  },
                  {
                    "id": "app-1_note-2",
                    "name": "item",
                    "prose": "Note:* Requirements marked with \"RE\" indicate risk-based enhancements that apply where the regulatory risk assessment determines that additional rigor is necessary."
                  }
                ]
              },
              {
                "id": "app-1_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "app-1_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evaluation of the applicability criteria based on the product context and risk assessment"
                  }
                ]
              }
            ]
          }
        ]
      },
      {
        "id": "preparedness",
        "class": "cra-phase",
        "title": "Preparedness",
        "controls": [
          {
            "id": "pre-1",
            "title": "Policy on Vulnerability Handling",
            "props": [
              {
                "name": "label",
                "value": "PRE-1"
              },
              {
                "name": "phase",
                "value": "preparedness",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§4.1",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_policy_vuln_handling",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_upstream_stakeholders",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_remediation_schedule_data",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "pre-1_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "pre-1-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-1-RQ-01"
                      }
                    ],
                    "prose": "A policy on vulnerability handling shall be created, put in place and adhered to."
                  },
                  {
                    "id": "pre-1-rc-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-1-RC-01"
                      }
                    ],
                    "prose": "An organizational framework should be created to support the activities."
                  },
                  {
                    "id": "pre-1-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-1-RQ-02"
                      }
                    ],
                    "prose": "The vulnerability handling policy shall include: basic guidance, principles, and responsibilities; measures to prevent premature disclosure; a target schedule for remediation development; strategies related to regular test and review activities."
                  },
                  {
                    "id": "pre-1-rc-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-1-RC-02"
                      }
                    ],
                    "prose": "A policy should include: full process description; roles and responsibilities; measures to prevent premature disclosure; activities/criteria to define a target schedule; list of downstream stakeholders; mapping of upstream stakeholders."
                  },
                  {
                    "id": "pre-1-rq-03",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-1-RQ-03"
                      }
                    ],
                    "prose": "The effectiveness of the vulnerability handling process shall be monitored."
                  },
                  {
                    "id": "pre-1-rq-04",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-1-RQ-04"
                      }
                    ],
                    "prose": "A mapping of upstream interdependencies, including open source, is required."
                  },
                  {
                    "id": "pre-1-rq-05",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-1-RQ-05"
                      }
                    ],
                    "prose": "A policy on vulnerability handling shall support all activities defined in the vulnerability disclosure policy."
                  }
                ]
              },
              {
                "id": "pre-1_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "pre-1_obj-1",
                    "name": "assessment-objective",
                    "prose": "Policy on vulnerability handling covers activities defined within document"
                  },
                  {
                    "id": "pre-1_obj-2",
                    "name": "assessment-objective",
                    "prose": "Existence of a list of upstream stakeholders linked to components with completeness check using SBOM"
                  },
                  {
                    "id": "pre-1_obj-3",
                    "name": "assessment-objective",
                    "prose": "Policy includes appropriate alignment with CVD, demonstrated organizational capabilities/roles/responsibilities"
                  },
                  {
                    "id": "pre-1_obj-4",
                    "name": "assessment-objective",
                    "prose": "Appropriate testing and review policies defined"
                  },
                  {
                    "id": "pre-1_obj-5",
                    "name": "assessment-objective",
                    "prose": "Evidence of process monitoring for vulnerability handling effectiveness"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-4-1",
                "rel": "related",
                "text": "EN 40000-1-3 §4.1"
              }
            ]
          },
          {
            "id": "pre-2",
            "title": "Policy on Coordinated Vulnerability Disclosure",
            "props": [
              {
                "name": "label",
                "value": "PRE-2"
              },
              {
                "name": "phase",
                "value": "preparedness",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§4.2",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_cvd_policy",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "pre-2_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "pre-2-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-2-RQ-01"
                      }
                    ],
                    "prose": "A policy on coordinated vulnerability disclosure (CVD) shall be created, published in an accessible format and adhered to."
                  },
                  {
                    "id": "pre-2-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-2-RQ-02"
                      }
                    ],
                    "prose": "A CVD policy shall include one or more contact mechanisms (e-mail, phone, web form, customer service)."
                  },
                  {
                    "id": "pre-2-rc-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-2-RC-01"
                      }
                    ],
                    "prose": "The contact mechanisms should provide accessibility via more than one sensory channel."
                  },
                  {
                    "id": "pre-2-rq-03",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-2-RQ-03"
                      }
                    ],
                    "prose": "Setting expectations for on-going communication shall be stated in this policy."
                  },
                  {
                    "id": "pre-2-rc-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-2-RC-02"
                      }
                    ],
                    "prose": "A vulnerability disclosure policy should include: vulnerability report contents, secure communication options, scope, publication, recognition."
                  },
                  {
                    "id": "pre-2-rc-03",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-2-RC-03"
                      }
                    ],
                    "prose": "A disclosure strategy should be in place to ensure information on vulnerability is not disclosed before it is addressed."
                  }
                ]
              },
              {
                "id": "pre-2_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "pre-2_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of the policy on CVD published/followed, aligned with internal handling policy"
                  },
                  {
                    "id": "pre-2_obj-2",
                    "name": "assessment-objective",
                    "prose": "Evidence of policy including agreements/parameters to estimate embargo period"
                  },
                  {
                    "id": "pre-2_obj-3",
                    "name": "assessment-objective",
                    "prose": "Evidence that contact mechanisms are published in an accessible format and consider more than one sensory channel"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-4-2",
                "rel": "related",
                "text": "EN 40000-1-3 §4.2"
              }
            ]
          },
          {
            "id": "pre-3",
            "title": "Operational Security",
            "props": [
              {
                "name": "label",
                "value": "PRE-3"
              },
              {
                "name": "phase",
                "value": "preparedness",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§4.3",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_security_measures_doc",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_receive_reports_capability",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "pre-3_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "pre-3-rc-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-3-RC-01"
                      }
                    ],
                    "prose": "Operational security should be provided throughout the activities of receiving and communicating about vulnerability information or reports."
                  },
                  {
                    "id": "pre-3-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-3-RQ-01"
                      }
                    ],
                    "prose": "Limiting access to non-public vulnerability information on a need-to-know basis shall be considered."
                  }
                ]
              },
              {
                "id": "pre-3_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "pre-3_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of documented security measures"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-4-3",
                "rel": "related",
                "text": "EN 40000-1-3 §4.3"
              }
            ]
          },
          {
            "id": "pre-4",
            "title": "On-going Communication",
            "props": [
              {
                "name": "label",
                "value": "PRE-4"
              },
              {
                "name": "phase",
                "value": "preparedness",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§4.4",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_communication_record",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "pre-4_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "pre-4-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-4-RQ-01"
                      }
                    ],
                    "prose": "Communication with reporters and other stakeholders shall be established and maintained."
                  },
                  {
                    "id": "pre-4-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-4-RQ-02"
                      }
                    ],
                    "prose": "Communication with users shall implement accessible modes of communication."
                  }
                ]
              },
              {
                "id": "pre-4_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "pre-4_obj-1",
                    "name": "assessment-objective",
                    "prose": "Presence in CVD policy of commitments related to on-going communications"
                  },
                  {
                    "id": "pre-4_obj-2",
                    "name": "assessment-objective",
                    "prose": "Presence of accessible modes of communication"
                  },
                  {
                    "id": "pre-4_obj-3",
                    "name": "assessment-objective",
                    "prose": "Evidence exists that communication with stakeholders has been performed (if reports submitted)"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-4-4",
                "rel": "related",
                "text": "EN 40000-1-3 §4.4"
              }
            ]
          },
          {
            "id": "pre-5",
            "title": "Secure Communication",
            "props": [
              {
                "name": "label",
                "value": "PRE-5"
              },
              {
                "name": "phase",
                "value": "preparedness",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§4.5",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_secure_comms_doc",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_secure_comms_evidence",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "pre-5_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "pre-5-rc-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-5-RC-01"
                      }
                    ],
                    "prose": "Secure communication mechanisms should be provided throughout activities of receiving/communicating."
                  },
                  {
                    "id": "pre-5-rq-01-re",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-5-RQ-01-RE"
                      }
                    ],
                    "prose": "Secure communication mechanisms shall be provided and communicated to support the reporting mechanism."
                  },
                  {
                    "id": "pre-5-rc-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-5-RC-02"
                      }
                    ],
                    "prose": "Secure communication methods should support confidentiality and message integrity (e.g. HTTPS, S/MIME, OpenPGP)."
                  },
                  {
                    "id": "pre-5-rc-03",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-5-RC-03"
                      }
                    ],
                    "prose": "Stakeholders should have a way to report anonymously."
                  },
                  {
                    "id": "pre-5-rc-04",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-5-RC-04"
                      }
                    ],
                    "prose": "Methods of secure communication should not disrupt accessibility."
                  }
                ]
              },
              {
                "id": "pre-5_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "pre-5_obj-1",
                    "name": "assessment-objective",
                    "prose": "Presence in CVD policy of commitments related to secure communication"
                  },
                  {
                    "id": "pre-5_obj-2",
                    "name": "assessment-objective",
                    "prose": "Evidence of secure communication with stakeholders (if reports submitted)"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-4-5",
                "rel": "related",
                "text": "EN 40000-1-3 §4.5"
              }
            ]
          },
          {
            "id": "pre-6",
            "title": "Product Identification",
            "props": [
              {
                "name": "label",
                "value": "PRE-6"
              },
              {
                "name": "phase",
                "value": "preparedness",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§5.1",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_product_id_record",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "pre-6_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "pre-6-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-6-RQ-01"
                      }
                    ],
                    "prose": "A product shall be identifiable by providing at least: manufacturer name, product name, hardware identifier (if applicable), software identifier (if applicable)."
                  },
                  {
                    "id": "pre-6-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-6-RQ-02"
                      }
                    ],
                    "prose": "If the product consists of both hardware and software, information for product identification shall be provided separately (e.g. part number, serial number, software version, release date, SWHID)."
                  }
                ]
              },
              {
                "id": "pre-6_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "pre-6_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of product identification"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-5-1",
                "rel": "related",
                "text": "EN 40000-1-3 §5.1"
              }
            ]
          },
          {
            "id": "pre-7",
            "title": "Identification of Software Components",
            "props": [
              {
                "name": "label",
                "value": "PRE-7"
              },
              {
                "name": "phase",
                "value": "preparedness",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§5.2",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_identified_sw_components",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_sbom",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "pre-7_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "pre-7-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-7-RQ-01"
                      }
                    ],
                    "prose": "All software components contained in the product shall be identified and documented."
                  },
                  {
                    "id": "pre-7-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-7-RQ-02"
                      }
                    ],
                    "prose": "For each component identified, include: Software producer, Component name, Component version."
                  },
                  {
                    "id": "pre-7-rq-03",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-7-RQ-03"
                      }
                    ],
                    "prose": "An SBOM shall be drawn up, including at least the top-level dependencies."
                  },
                  {
                    "id": "pre-7-rq-03-re",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-7-RQ-03-RE"
                      }
                    ],
                    "prose": "All software components shall be drawn up in the SBOM to detect transitive dependencies when technically feasible."
                  },
                  {
                    "id": "pre-7-rq-04",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-7-RQ-04"
                      }
                    ],
                    "prose": "The SBOM shall be assembled in a structured, machine-readable format (e.g. SPDX, CycloneDX)."
                  },
                  {
                    "id": "pre-7-rq-05",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-7-RQ-05"
                      }
                    ],
                    "prose": "If component is updated, a new SBOM shall be created."
                  },
                  {
                    "id": "pre-7-rc-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-7-RC-01"
                      }
                    ],
                    "prose": "When new details are detected or errors found, a revised SBOM should be issued."
                  },
                  {
                    "id": "pre-7-rq-06",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-7-RQ-06"
                      }
                    ],
                    "prose": "Metadata for SBOM shall include: SBOM Author, Version, Timestamp."
                  },
                  {
                    "id": "pre-7-rq-07",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-7-RQ-07"
                      }
                    ],
                    "prose": "For each component, include: info from RQ-02, Dependency relationship, Unique component identifiers (e.g. CPE, PURL, SWHID)."
                  },
                  {
                    "id": "pre-7-rq-07-re",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-7-RQ-07-RE"
                      }
                    ],
                    "prose": "If the supplier provides the hash and the corresponding algorithm for the component, it shall be included in the SBOM."
                  }
                ]
              },
              {
                "id": "pre-7_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "pre-7_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of the SBOM in a structured machine-readable format"
                  },
                  {
                    "id": "pre-7_obj-2",
                    "name": "assessment-objective",
                    "prose": "Comparison of identified assets to SBOM entries demonstrating appropriate completeness"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-5-2",
                "rel": "related",
                "text": "EN 40000-1-3 §5.2"
              }
            ]
          },
          {
            "id": "pre-8",
            "title": "Identification of Hardware Components",
            "props": [
              {
                "name": "label",
                "value": "PRE-8"
              },
              {
                "name": "phase",
                "value": "preparedness",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§5.3",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_hw_components_list",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "pre-8_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "pre-8-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-8-RQ-01"
                      }
                    ],
                    "prose": "Hardware components that are integrated in the product shall be identified and documented."
                  },
                  {
                    "id": "pre-8-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-8-RQ-02"
                      }
                    ],
                    "prose": "For each identified hardware component record: hardware producer, component name, component identifier, firmware version (if applicable) (e.g. part number, batch number, production date)."
                  }
                ]
              },
              {
                "id": "pre-8_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "pre-8_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of the list of identified hardware components and related information"
                  },
                  {
                    "id": "pre-8_obj-2",
                    "name": "assessment-objective",
                    "prose": "Comparison of identified assets to the list to demonstrate completeness"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-5-3",
                "rel": "related",
                "text": "EN 40000-1-3 §5.3"
              }
            ]
          },
          {
            "id": "pre-9",
            "title": "Planning Regular Tests and Reviews",
            "props": [
              {
                "name": "label",
                "value": "PRE-9"
              },
              {
                "name": "phase",
                "value": "preparedness",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§6.1",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_security_test_review_plan",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "pre-9_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "pre-9-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-9-RQ-01"
                      }
                    ],
                    "prose": "A risk-based security test and review plan shall be created including schedules and frequency of specific tests and reviews."
                  },
                  {
                    "id": "pre-9-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-9-RQ-02"
                      }
                    ],
                    "prose": "A security test and review plan shall consider aspects such as: product context, architecture/design, requirements, risk assessment, test cases/methodologies."
                  },
                  {
                    "id": "pre-9-rq-03",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-9-RQ-03"
                      }
                    ],
                    "prose": "Security reviews shall consider sources: state-of-the-art standards, threat landscape changes, vulnerabilities found in product/components/similar products, feedback on practical conditions of use."
                  },
                  {
                    "id": "pre-9-rq-04",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-9-RQ-04"
                      }
                    ],
                    "prose": "A security test and review plan shall be maintained based on results."
                  }
                ]
              },
              {
                "id": "pre-9_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "pre-9_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of the existence of the plan"
                  },
                  {
                    "id": "pre-9_obj-2",
                    "name": "assessment-objective",
                    "prose": "Evidence of elements of the plan being performed as planned"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-6-1",
                "rel": "related",
                "text": "EN 40000-1-3 §6.1"
              }
            ]
          },
          {
            "id": "pre-10",
            "title": "Mechanisms for Distribution",
            "props": [
              {
                "name": "label",
                "value": "PRE-10"
              },
              {
                "name": "phase",
                "value": "preparedness",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§6.2",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_distribution_mechanisms_doc",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "pre-10_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "pre-10-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-10-RQ-01"
                      }
                    ],
                    "prose": "A mechanism shall be provided to distribute security updates in a secure manner."
                  },
                  {
                    "id": "pre-10-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-10-RQ-02"
                      }
                    ],
                    "prose": "A mechanism for the distribution of security information for the product shall be provided (e.g. advisories, release notes, notifications)."
                  },
                  {
                    "id": "pre-10-rq-03",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRE-10-RQ-03"
                      }
                    ],
                    "prose": "Where applicable, mechanisms for automatic distribution of security updates for product shall be provided."
                  }
                ]
              },
              {
                "id": "pre-10_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "pre-10_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of capability to distribute updates and information in a secure manner"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-6-2",
                "rel": "related",
                "text": "EN 40000-1-3 §6.2"
              }
            ]
          }
        ]
      },
      {
        "id": "reception",
        "class": "cra-phase",
        "title": "Reception",
        "controls": [
          {
            "id": "rcp-1",
            "title": "Capability to Receive Reports",
            "props": [
              {
                "name": "label",
                "value": "RCP-1"
              },
              {
                "name": "phase",
                "value": "reception",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§7.1",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_public_reporting_mechanism",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_documented_reporting_mechanism",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_received_reports_with_id",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "rcp-1_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "rcp-1-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RCP-1-RQ-01"
                      }
                    ],
                    "prose": "A publicly accessible reporting mechanism facilitating accessible modes shall be provided (e.g. web form, tracker, email, phone, security.txt)."
                  },
                  {
                    "id": "rcp-1-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RCP-1-RQ-02"
                      }
                    ],
                    "prose": "A mechanism shall be in place to track reported vulnerabilities with use of an identifier or tracking number."
                  },
                  {
                    "id": "rcp-1-rq-03",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RCP-1-RQ-03"
                      }
                    ],
                    "prose": "A receipt of a potential vulnerability report shall be acknowledged within an established time frame based on the CVD policy."
                  },
                  {
                    "id": "rcp-1-rc-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RCP-1-RC-01"
                      }
                    ],
                    "prose": "Reports should be accepted even if they use less secure mechanisms."
                  }
                ]
              },
              {
                "id": "rcp-1_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "rcp-1_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of a publicly available reporting mechanism that is accessible"
                  },
                  {
                    "id": "rcp-1_obj-2",
                    "name": "assessment-objective",
                    "prose": "Evidence of stored reports and assigned tracking identifier"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-7-1",
                "rel": "related",
                "text": "EN 40000-1-3 §7.1"
              }
            ]
          },
          {
            "id": "rcp-2",
            "title": "Monitoring",
            "props": [
              {
                "name": "label",
                "value": "RCP-2"
              },
              {
                "name": "phase",
                "value": "reception",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§7.2",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_vuln_info_record",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_sources_monitored_list",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "rcp-2_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "rcp-2-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RCP-2-RQ-01"
                      }
                    ],
                    "prose": "Vulnerability information or reports from internal and external sources shall be monitored (automation preferable)."
                  },
                  {
                    "id": "rcp-2-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RCP-2-RQ-02"
                      }
                    ],
                    "prose": "The minimum list of sources shall include: (External) EU Vulnerability Database, Reported vulnerabilities; (Internal) Regular testing, Regular review."
                  },
                  {
                    "id": "rcp-2-rq-04",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RCP-2-RQ-04"
                      }
                    ],
                    "prose": "The list of third-party components shall be monitored for end of support and usage."
                  }
                ]
              },
              {
                "id": "rcp-2_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "rcp-2_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of a list of internal and external sources monitored"
                  },
                  {
                    "id": "rcp-2_obj-2",
                    "name": "assessment-objective",
                    "prose": "Evidence of pertinent vulnerability record information"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-7-2",
                "rel": "related",
                "text": "EN 40000-1-3 §7.2"
              }
            ]
          },
          {
            "id": "rcp-3",
            "title": "Potentially Impacted Software Components",
            "props": [
              {
                "name": "label",
                "value": "RCP-3"
              },
              {
                "name": "phase",
                "value": "reception",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§7.3",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_impacted_sw_components",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "rcp-3_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "rcp-3-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RCP-3-RQ-01"
                      }
                    ],
                    "prose": "Potentially affected software components shall be identified based on vulnerability information collected. (Automation possible with SBOM)"
                  }
                ]
              },
              {
                "id": "rcp-3_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "rcp-3_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence that identification activities have been performed"
                  },
                  {
                    "id": "rcp-3_obj-2",
                    "name": "assessment-objective",
                    "prose": "Evidence of identified potential vulnerabilities in software components"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-7-3",
                "rel": "related",
                "text": "EN 40000-1-3 §7.3"
              }
            ]
          },
          {
            "id": "rcp-4",
            "title": "Potentially Impacted Hardware Components",
            "props": [
              {
                "name": "label",
                "value": "RCP-4"
              },
              {
                "name": "phase",
                "value": "reception",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§7.4",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_impacted_hw_components",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "rcp-4_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "rcp-4-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RCP-4-RQ-01"
                      }
                    ],
                    "prose": "Potentially affected hardware components shall be identified based on vulnerability information collected."
                  }
                ]
              },
              {
                "id": "rcp-4_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "rcp-4_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence that identification activities have been performed"
                  },
                  {
                    "id": "rcp-4_obj-2",
                    "name": "assessment-objective",
                    "prose": "Evidence of identified potential vulnerabilities in hardware components"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-7-4",
                "rel": "related",
                "text": "EN 40000-1-3 §7.4"
              }
            ]
          },
          {
            "id": "rcp-5",
            "title": "Coordinator Involvement",
            "props": [
              {
                "name": "label",
                "value": "RCP-5"
              },
              {
                "name": "phase",
                "value": "reception",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§7.5",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_coordinator_assigned",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "rcp-5_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "rcp-5-rc-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RCP-5-RC-01"
                      }
                    ],
                    "prose": "A coordinator should be assigned and involved in the vulnerability handling process, where appropriate."
                  }
                ]
              },
              {
                "id": "rcp-5_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "rcp-5_obj-1",
                    "name": "assessment-objective",
                    "prose": "Where appropriate, evidence that a coordinator was assigned and involved"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-7-5",
                "rel": "related",
                "text": "EN 40000-1-3 §7.5"
              }
            ]
          },
          {
            "id": "rcp-6",
            "title": "Performing Regular Tests",
            "props": [
              {
                "name": "label",
                "value": "RCP-6"
              },
              {
                "name": "phase",
                "value": "reception",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§7.6",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_security_test_results",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "rcp-6_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "rcp-6-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RCP-6-RQ-01"
                      }
                    ],
                    "prose": "Security testing shall be performed according to the security test and review plan."
                  }
                ]
              },
              {
                "id": "rcp-6_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "rcp-6_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of security tests being performed as planned"
                  },
                  {
                    "id": "rcp-6_obj-2",
                    "name": "assessment-objective",
                    "prose": "Evidence of security test results"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-7-6",
                "rel": "related",
                "text": "EN 40000-1-3 §7.6"
              }
            ]
          },
          {
            "id": "rcp-7",
            "title": "Performing Regular Reviews",
            "props": [
              {
                "name": "label",
                "value": "RCP-7"
              },
              {
                "name": "phase",
                "value": "reception",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§7.6",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_security_review_results",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_updated_test_plan",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "rcp-7_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "rcp-7-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RCP-7-RQ-01"
                      }
                    ],
                    "prose": "Security reviews shall be performed according to the security test and review plan."
                  },
                  {
                    "id": "rcp-7-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RCP-7-RQ-02"
                      }
                    ],
                    "prose": "The assumptions and all inputs of the product cybersecurity risk assessment shall be reviewed periodically (at least once a year), even if the product design does not change."
                  }
                ]
              },
              {
                "id": "rcp-7_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "rcp-7_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of reviews being performed based on information source defined"
                  },
                  {
                    "id": "rcp-7_obj-2",
                    "name": "assessment-objective",
                    "prose": "Evidence of updates to the security test and review plan"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-7-6",
                "rel": "related",
                "text": "EN 40000-1-3 §7.6"
              }
            ]
          }
        ]
      },
      {
        "id": "verification",
        "class": "cra-phase",
        "title": "Verification",
        "controls": [
          {
            "id": "vrf-1",
            "title": "Initial Assessment and Verification",
            "props": [
              {
                "name": "label",
                "value": "VRF-1"
              },
              {
                "name": "phase",
                "value": "verification",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§8.1",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_processing_doc",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_verified_vuln_report",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "vrf-1_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "vrf-1-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "VRF-1-RQ-01"
                      }
                    ],
                    "prose": "More information shall be requested from the reporter if the available information is insufficient."
                  },
                  {
                    "id": "vrf-1-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "VRF-1-RQ-02"
                      }
                    ],
                    "prose": "An assessment of the vulnerability shall be performed."
                  }
                ]
              },
              {
                "id": "vrf-1_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "vrf-1_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence that activities of vulnerability investigations have been performed"
                  },
                  {
                    "id": "vrf-1_obj-2",
                    "name": "assessment-objective",
                    "prose": "Evidence that info and status are tracked"
                  },
                  {
                    "id": "vrf-1_obj-3",
                    "name": "assessment-objective",
                    "prose": "Evidence exists that the severity has been determined"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-8-1",
                "rel": "related",
                "text": "EN 40000-1-3 §8.1"
              }
            ]
          },
          {
            "id": "vrf-2",
            "title": "Vulnerability Risk Assessment",
            "props": [
              {
                "name": "label",
                "value": "VRF-2"
              },
              {
                "name": "phase",
                "value": "verification",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§8.2",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_priority_assessment",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_reporter_communication",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "vrf-2_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "vrf-2-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "VRF-2-RQ-01"
                      }
                    ],
                    "prose": "The risk introduced by the vulnerability shall be assessed."
                  },
                  {
                    "id": "vrf-2-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "VRF-2-RQ-02"
                      }
                    ],
                    "prose": "The priority shall be assigned to the vulnerability based on the risk assessment and product risk profile."
                  },
                  {
                    "id": "vrf-2-rq-03",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "VRF-2-RQ-03"
                      }
                    ],
                    "prose": "If the determination of the risk exceeds the defined threshold by the manufacturer's risk assessment, the resolution of the vulnerability shall be expedited."
                  },
                  {
                    "id": "vrf-2-rq-04",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "VRF-2-RQ-04"
                      }
                    ],
                    "prose": "If the vulnerability information source is from a CVD, the reporter shall be informed about the results of the verification."
                  }
                ]
              },
              {
                "id": "vrf-2_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "vrf-2_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of the communication with the reporter, if applicable"
                  },
                  {
                    "id": "vrf-2_obj-2",
                    "name": "assessment-objective",
                    "prose": "Evidence of prioritization of the vulnerability"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-8-2",
                "rel": "related",
                "text": "EN 40000-1-3 §8.2"
              }
            ]
          }
        ]
      },
      {
        "id": "remediation",
        "class": "cra-phase",
        "title": "Remediation",
        "controls": [
          {
            "id": "rmd-1",
            "title": "Remediation Decision",
            "props": [
              {
                "name": "label",
                "value": "RMD-1"
              },
              {
                "name": "phase",
                "value": "remediation",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§9.1",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_remediation_decision",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_remediation_plan",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "rmd-1_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "rmd-1-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RMD-1-RQ-01"
                      }
                    ],
                    "prose": "A decision on how to remediate the vulnerability shall be taken."
                  },
                  {
                    "id": "rmd-1-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RMD-1-RQ-02"
                      }
                    ],
                    "prose": "In accordance with the decision, subsequent actions shall be planned, including the definition of the timeline for the remediation."
                  }
                ]
              },
              {
                "id": "rmd-1_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "rmd-1_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of the documented decision"
                  },
                  {
                    "id": "rmd-1_obj-2",
                    "name": "assessment-objective",
                    "prose": "Evidence of the remediation plan, including the timeline"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-9-1",
                "rel": "related",
                "text": "EN 40000-1-3 §9.1"
              }
            ]
          },
          {
            "id": "rmd-2",
            "title": "Remediation Development",
            "props": [
              {
                "name": "label",
                "value": "RMD-2"
              },
              {
                "name": "phase",
                "value": "remediation",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§9.2",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_produced_remediation",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "rmd-2_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "rmd-2-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RMD-2-RQ-01"
                      }
                    ],
                    "prose": "The remediation shall be produced."
                  },
                  {
                    "id": "rmd-2-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RMD-2-RQ-02"
                      }
                    ],
                    "prose": "Security updates shall be provided separately from functional updates, where technically feasible."
                  }
                ]
              },
              {
                "id": "rmd-2_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "rmd-2_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of a produced remediation and related documentation"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-9-2",
                "rel": "related",
                "text": "EN 40000-1-3 §9.2"
              }
            ]
          },
          {
            "id": "rmd-3",
            "title": "Remediation Test",
            "props": [
              {
                "name": "label",
                "value": "RMD-3"
              },
              {
                "name": "phase",
                "value": "remediation",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§9.3",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_remediation_test_report",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_tested_remediation",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "rmd-3_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "rmd-3-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RMD-3-RQ-01"
                      }
                    ],
                    "prose": "The remediation shall be tested to ensure the risks related to the vulnerability are mitigated and the impact on the product and the users is acceptable."
                  }
                ]
              },
              {
                "id": "rmd-3_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "rmd-3_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of the remediation test report"
                  },
                  {
                    "id": "rmd-3_obj-2",
                    "name": "assessment-objective",
                    "prose": "Tested remediation exists"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-9-3",
                "rel": "related",
                "text": "EN 40000-1-3 §9.3"
              }
            ]
          }
        ]
      },
      {
        "id": "release",
        "class": "cra-phase",
        "title": "Release",
        "controls": [
          {
            "id": "rls-1",
            "title": "Security Update Release",
            "props": [
              {
                "name": "label",
                "value": "RLS-1"
              },
              {
                "name": "phase",
                "value": "release",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§10.1",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_security_update_distribution",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_installation_instructions",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "rls-1_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "rls-1-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RLS-1-RQ-01"
                      }
                    ],
                    "prose": "Security updates shall be provided, unless otherwise agreed between a manufacturer and a business user for a tailor-made product, free of charge."
                  },
                  {
                    "id": "rls-1-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RLS-1-RQ-02"
                      }
                    ],
                    "prose": "Once a security update is provisioned, it shall be distributed in a timely manner."
                  },
                  {
                    "id": "rls-1-rq-03",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RLS-1-RQ-03"
                      }
                    ],
                    "prose": "Installation instructions shall be provided for security updates unless distribution is fully automated."
                  },
                  {
                    "id": "rls-1-rq-04",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RLS-1-RQ-04"
                      }
                    ],
                    "prose": "The mechanisms to distribute security updates shall ensure their authenticity and integrity."
                  }
                ]
              },
              {
                "id": "rls-1_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "rls-1_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of security update distribution"
                  },
                  {
                    "id": "rls-1_obj-2",
                    "name": "assessment-objective",
                    "prose": "Evidence of implemented secure update mechanisms"
                  },
                  {
                    "id": "rls-1_obj-3",
                    "name": "assessment-objective",
                    "prose": "Evidence of automatic security update distribution implementation (if capable)"
                  },
                  {
                    "id": "rls-1_obj-4",
                    "name": "assessment-objective",
                    "prose": "Evidence of installation instructions"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-10-1",
                "rel": "related",
                "text": "EN 40000-1-3 §10.1"
              }
            ]
          },
          {
            "id": "rls-2",
            "title": "Release Information",
            "props": [
              {
                "name": "label",
                "value": "RLS-2"
              },
              {
                "name": "phase",
                "value": "release",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§10.2",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_published_vuln_info",
                "class": "portal",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_publication_delay_rationale",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "rls-2_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "rls-2-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RLS-2-RQ-01"
                      }
                    ],
                    "prose": "Information of fixed vulnerabilities shall be published in accordance with the policy on CVD, and where appropriate, summarized or aggregated."
                  },
                  {
                    "id": "rls-2-rq-02",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RLS-2-RQ-02"
                      }
                    ],
                    "prose": "The publication shall contain at least: description, identifier, affected product info, potential impact, severity, remediation instructions, release/update date."
                  },
                  {
                    "id": "rls-2-rq-03",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RLS-2-RQ-03"
                      }
                    ],
                    "prose": "Information regarding fixed vulnerabilities shall be made available in a human-readable format."
                  },
                  {
                    "id": "rls-2-rq-03-re",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RLS-2-RQ-03-RE"
                      }
                    ],
                    "prose": "Information regarding fixed vulnerabilities shall be made available in a widely recognized machine-readable format."
                  },
                  {
                    "id": "rls-2-pm-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RLS-2-PM-01"
                      }
                    ],
                    "prose": "Full publication may be delayed if conditions apply (risks outweigh benefits, mitigations provided, users informed of disclosure date)."
                  },
                  {
                    "id": "rls-2-rc-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "RLS-2-RC-01"
                      }
                    ],
                    "prose": "Vulnerability information should be made publicly available on the EU Vulnerability Database (EUVD)."
                  }
                ]
              },
              {
                "id": "rls-2_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "rls-2_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of published information on vulnerabilities addressed"
                  },
                  {
                    "id": "rls-2_obj-2",
                    "name": "assessment-objective",
                    "prose": "Evidence of published machine-readable information (if applicable)"
                  },
                  {
                    "id": "rls-2_obj-3",
                    "name": "assessment-objective",
                    "prose": "Evidence of published info at EUVD (if applicable)"
                  },
                  {
                    "id": "rls-2_obj-4",
                    "name": "assessment-objective",
                    "prose": "Evidence of info on publication delay (if PM-01 utilized)"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-10-2",
                "rel": "related",
                "text": "EN 40000-1-3 §10.2"
              }
            ]
          }
        ]
      },
      {
        "id": "post-release",
        "class": "cra-phase",
        "title": "Post-Release",
        "controls": [
          {
            "id": "pra-1",
            "title": "Post-Release Actions",
            "props": [
              {
                "name": "label",
                "value": "PRA-1"
              },
              {
                "name": "phase",
                "value": "post-release",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "en-40000-clause",
                "value": "§11.1",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "output-artifact",
                "value": "output_postrelease_actions_doc",
                "class": "tenant",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "pra-1_smt",
                "name": "statement",
                "parts": [
                  {
                    "id": "pra-1-rq-01",
                    "name": "item",
                    "props": [
                      {
                        "name": "label",
                        "value": "PRA-1-RQ-01"
                      }
                    ],
                    "prose": "Post-release actions shall be carried out, including: Case maintenance, Monitoring of remediation."
                  }
                ]
              },
              {
                "id": "pra-1_obj",
                "name": "assessment-objective",
                "parts": [
                  {
                    "id": "pra-1_obj-1",
                    "name": "assessment-objective",
                    "prose": "Evidence of post-release actions exists"
                  },
                  {
                    "id": "pra-1_obj-2",
                    "name": "assessment-objective",
                    "prose": "Evidence on the execution of the post-release actions"
                  }
                ]
              }
            ],
            "links": [
              {
                "href": "./catalog-en-40000-1-3.json#clause-11-1",
                "rel": "related",
                "text": "EN 40000-1-3 §11.1"
              }
            ]
          }
        ]
      }
    ]
  }
}
